May Ext JS 3.x code under commercial license be changed?

We procured the Ext JS commercial license for our enterprise application product. We did not do any upgrading from Ext JS 3.x because of the limited developer resource available. Ext JS 3.x has already ended their extended support service earlier this year. However, during a SonarQube SAST code scanning, we found that there may be some potential vulnerabilities that we would like to have them fixed.

The question is whether we may change the Ext JS 3.x code without breaking the commercial license.

Appreciate if someone may give me some insights.

Much appreciation will be extended for any Sencha/Idera comments and suggestion on how we may properly handle such security vulnerabilities on unsupported obsolete versions without having to do product upgrade.